The invention relates to a process and arrangement for securing a man-machine dialogue according to the generic concept of the independent patent claims.
A man-machine dialogue of this type is performed in digital signature procedures, for example. Digital signatures have an application everywhere that the authenticity and integrity of electronic documents are involved, for example in the areas of electronic commerce, e.g. e-commerce, banking, brokerage, etc. or in the area of public law, e.g. notarial authentication.
In order to perform a digital signature procedure, a suitable end-device is required, e.g. a special terminal or a personal computer, with which a dialogue is possible between a user and at least one application that can be performed on a terminal, whereby a communication between user and application is done via input channels and output channels of the terminal. Also, the modem terminals used in mobile telephone service essentially meet all of the prerequisites for digital signature procedures. They are equipped with alphanumeric display and keypads and implicitly have a chip card reader.
In order to perform a digital signature, the document to be signed is sent via a suitable transmission path, e.g. in mobile telephone service via the mobile telephone network, from a requesting unit, e.g. a server, to a suitable terminal and/or to a signing device in the terminal or on the chip card. The terminal and/or the signing device in the terminal or on the chip card bring the document to be signed onto the display of the terminal so that it is displayed and prompt the user to initiate the signing operation by the keypad. For authentification, the signing device requires the user to enter a signature-PIN on the keypad. After the input of the correct signature-PIN, the signing device carries out the signature and sends it with the document back to the signature-requesting unit. It is also conceivable that the signing device (and/or the terminal) ensures the authenticity of the user by biometric processes, e.g. finger prints, speech input, etc.
Since the signature-dialogue, i.e. the display of the document to be signed, the prompting for confirmation, prompting for input of the signature-PIN is imbedded in a superordinate application-specific dialogue, which comes from and/or is controlled by another source such as a WML-deck, i.e. not the signing device, and since in addition there are several sources for outputting on the display, e.g. other applications running in parallel, user control of the terminal, etc., the user can not be sure whether the display of the document to be signed and the inquiry for the signature-PIN are authentic, i.e. actually come from the signing device.
Basically, the user can not recognize from whom the data shown on the display of the terminal comes. The applications, in particular for WAP (WML-decks), are usually anonymous, i.e. are not checked and certified by the network operator or another authority. Thus, for example, it is possible for foreign applications to put the signature-dialogue after the signing device, in order to get to the user's signature-PIN.
The documents WO 98/19243 A2 and U.S. Pat. No. 5,822,436 A disclose processes and arrangements for handling security-critical procedures in data processing systems. In addition to the usual elements of a data processing system, such as processor and input/output units, the arrangements described contain special security devices. Thus, it is provided in WO 98/19243 A2 that the security device assumes control over the input and output units during the performance of all security-related procedures. In the patent U.S. Pat. No. 5,822,435 A, the security device is connected between the processor and the input and output units and provides for an encoding of the transmitted data. In the known processes and devices, however, it has not been provided that the input channels and/or output channels are allocated exclusively to one application at a time.